<!– A coordinator can do anything to the object or its childeren unless the –> <!– permissions are set not to inherit or permission is denied. –> <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />

<!– A collaborator can do anything that an editor and a contributor can do –> <permissionGroup name="Collaborator" allowFullControl="false" expose="true"> <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" /> <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" /> </permissionGroup>

<!– A contributor can create content and then they have full permission on what –> <!– they have created - via the permissions assigned to the owner. –> <permissionGroup name="Contributor" allowFullControl="false" expose="true" > <!– Contributor is a consumer who can add content, and then can modify via the –> <!– owner permissions. –> <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/> <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/> <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" /> </permissionGroup>

<!– An editor can read and write to the object; they can not create –> <!– new nodes. They can check out content into a space to which they have –> <!– create permission. –> <permissionGroup name="Editor" expose="true" allowFullControl="false" > <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/> <includePermissionGroup type="sys:base" permissionGroup="Write"/> <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/> <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/> </permissionGroup>

<!– A coordinator can do anything to the object or its childeren unless the –> <!– permissions are set not to inherit or permission is denied. –> <permissionGroup name="Coordinator" allowFullControl="true" expose="true" />

<!– A collaborator can do anything that an editor and a contributor can do –> <permissionGroup name="Collaborator" allowFullControl="false" expose="true"> <includePermissionGroup permissionGroup="Editor" type="cm:cmobject" /> <includePermissionGroup permissionGroup="Contributor" type="cm:cmobject" /> </permissionGroup>

<!– A contributor can create content and then they have full permission on what –> <!– they have created - via the permissions assigned to the owner. –> <permissionGroup name="Contributor" allowFullControl="false" expose="true" > <!– Contributor is a consumer who can add content, and then can modify via the –> <!– owner permissions. –> <includePermissionGroup permissionGroup="Consumer" type="cm:cmobject"/> <includePermissionGroup permissionGroup="AddChildren" type="sys:base"/> <includePermissionGroup permissionGroup="ReadPermissions" type="sys:base" /> </permissionGroup>

<!– An editor can read and write to the object; they can not create –> <!– new nodes. They can check out content into a space to which they have –> <!– create permission. –> <permissionGroup name="Editor" expose="true" allowFullControl="false" > <includePermissionGroup type="cm:cmobject" permissionGroup="Consumer"/> <includePermissionGroup type="sys:base" permissionGroup="Write"/> <includePermissionGroup type="cm:lockable" permissionGroup="CheckOut"/> <includePermissionGroup type="sys:base" permissionGroup="ReadPermissions"/> </permissionGroup>

I did not have additional tips, but I believe that is possible. Sorry for delay replying, been busy on some other projects. I believe that is possible but will require a customization of greater complexity. Our profile createChildrens (create folders and contents), what we would like createFolder, these rules are actually called the set of commands that access apiAlfresco. But not only this custom xml files.

I have a situation where a user want to add content <via business rule> but he can't see that space. I get 'Access Denied". I want to add a new role in order to add content even when the folder is not visible. I've found this site http://www.packtpub.com/article/roles-in-alfresco that look like my case. I've tried this but it will not work. I am working with 3.0 Can anyone help me out with this, please?

Hi everyone,I'm very new to alfresco. I have a doubt in customizing roles in alfresco. I want to give the following permissions for Contributor role. 1)View, 2)Upload content. I don't want to give permission for downloading & Create sub-folders to that role. In permissionDefenition.xml what i have to do for this ?

I am looking for a way to disable the basic authentication that happens automatically for web scripts when they require authentication.

I am developing a custom web application which is backed by a number of web scripts which require an authenticated user. However, rather than relying on the browser-based basic auth mechanism, we prefer to rely on alfresco login which delegates to a web script which takes a username and password explicitly and gives back the alf_ticket that we are using for all subsequent interaction with other web scripts.

My problem is that when a web script is requested with an expired ticket, this leads to a basic authentication prompt in the user's browser. We don't want to use that prompt for authentication due to usability and other concerns; instead, we simply want to detect the 401 (or 403 maybe) indicating that the user is not authenticated, then redirect to the login page, without the nasty browser-based basic authentication popping up.

Can you validate the ticket in the custom webapp before using it (either before each call or have a script that runs on a timer checking the ticket)? There is an Alfresco Web Script for this:

GET /alfresco/service/api/login/ticket/{ticket}

It returns:<ul><li>STATUS_SUCCESS (200) - if the ticket is valid</li><li>STATUS_NOT_FOUND (404) - if the ticket is not valid</li><li>STATUS_NOT_FOUND (404) - if the ticket does not belong to the current user</li></ul>